Many security vulnerabilities identified in this protocol from:
- SMB unauthenticated NULL Sessions in Windows 2000 and XP
- Plenty of Microsoft and RPC bugs and vulnerabilities over the years.
The SMB protocol has also undergone many changes and improvements over the years to help improve security, especially it's default implementation.

Listens on port 445 and tcp port 139 and several UDP ports when using windows netbios api.

There are other tools specifically for identify what machines are running the SMB or netbios services.
- nbtscan - netbios name server scanner.

#man nbtscan

***************************
#nbtscan 10.11.1.200-254
***************************
nbtscan can even list logged in users if they are present.

SMB - ACTIVE INFORMATION GATHERING: SMB Null Session Enumeration

*** WINDOWS XP (SP1) AND WINDOWS 2000 SERVERS ARE THE MAIN TARGETS (BUT NOT LIMITED TOO) IN THE LABS HERE

An SMB Null Session refers to an unauthenticated netbios session between 2 computers. This feature exists to allow unauthenticated users to obtain information about the machine which is exactly the type of information that we are interested in as attackers.

In Windows NT 2000 and XP. The default configuration of the SMB service allowed Null Sessions to be created. From windows 2003 and Windows XP service 2 onwards, the SMB service has this behaviour disabled as well as many other security improvements are added.

Even in modern pen testing work, we will often find windows machines vulnerable to these technques.

Alternatively you may also stumble upon a more modern server with a misconfigured SMB service.

****************************
A useful tool to create Null session and explore a remote SMB service is rpcclient

In order to use the smb-enum-users script: This will try to enumerate user names via a null sessions on a given machine as part of the nmap scan.
eg:
#nmap -p 139,445 --script smb-enum-users 192.168.31.206

************************************
Another useful NMAP SMB script is the nse-check-vulns script which checks for the existence of several SMB vulnerabilities.
Eg:
#nmap -p 139,445 --script=smb-check-vulns --script-args=unsafe=1 192.168.31.229

I have created a list of all IPs that appear to exist called IPs.txt Below I use this txt file list to search all machines for SMB vulnerabilities.
#nmap -p 139,445 --script=smb-vuln* --script-args=unsafe=1 -iL IPs.txt
************************************

SMB ports are not usually exposed to the internet as they are known to be vulnerable. Many ISPs even filter out this traffic, as a result you are more likely to find these vulnerabilities in internal network environments. Finding an SMB port exposed to the internet will be either a security oversight or a lack of proper port filtering on their side.